Open ikiril01 opened 9 years ago
I'm wondering if this should also include other useful snippets of network traffic, such as HTTP user agents?
An important aspect of this is capturing information about network infrastructure associated with operationalizing and delivering the malware instance. This would likely involve:
Update: it would also be useful to capture the nature or type of server being used, e.g.,
For C2 and Exfiltration entities, it may make the most sense to define this as a structured Capability property that references existing Objects (such those originating from Actions).
For example,
<Object id="object-1">
<Properties xsi:type="AddressObj:AddressObjectType"/>
<Address_Value>10.0.0.0</Address_Value>
</Properties>
</Object>
<Object id="object-2">
<Properties xsi:type="DomainNameObj:DomainNameObjectType"/>
<Value>asdffsdgh.info</Value>
</Properties>
</Object>
<Capability name="command and control" id="capability-1">
<Property>
<Name xsi:type="C2PropertiesVocab">C2 server</Name>
<Object_Reference object_id="object-1"/>
</Property>
</Capability>
<Capability name="data exfiltration" id="capability-2">
<Property>
<Name xsi:type="C2PropertiesVocab">exfiltration server</Name>
<Object_Reference object_id="object-2"/>
</Property>
</Capability>
As far as other entities related to malware distribution/origination network infrastructure, I'm wondering if this is more aligned with malware field data (which we already capture to some extent, though it will be refactored per #95), and thus should be captured there? E.g.,
<Object id="object-3">
<Properties xsi:type="AddressObj:AddressObjectType"/>
<Address_Value>10.1.2.3</Address_Value>
</Properties>
</Object>
<Malware_Subject id="malware-subject-1">
<Field_Data>
<Distribution_Site object_id="object-3"/>
</Field_Data>
</Malware_Subject>
We should add the ability to capture the beaconing/callout/C2 Domains used by a malware instance, either as part of a Capability or a separate structure.